Thursday, February 12, 2015

Shades of Grey

It may seem as though there is an easy distinction between the legitimate and the malicious. The reality is, the world of online security is not always black and white. More often, it is filled with shades of grey.
I frequently write about malware, spam, credit card fraud, and various computer crimes. In my and others' writing it may seem as though there is an easy distinction between the legitimate and the malicious. The reality is, the world of online security is not always black and white. More often, it is filled with shades of grey.

The same behavior may be perfectly legitimate in one context, and purely criminal in another. The same program or tool can be used for benevolent purposes by one person, and for malicious gain by another. In fact one person may use technology tools for good by day, and for evil by night: Brian Krebs wrote in his book Spam Nation the tale of Pavel Vrublevsky, a Russian who simultaneously ran a widespread pharmaceutical spam program and served as chairman for the anti-spam working group in the Russian Ministry of Telecom.

In the United States, a foundational law around computer crimes is the Computer Fraud and Abuse Act, or CFAA, of 1986.

1986.

When you could mention the Space Shuttle disaster and not have to explain which one.

The year of the Chernobyl nuclear power plant accident.

The year Haley's Comet last swung through the inner solar system.

Two years before smoking was banned on domestic commercial flights.

In 1986, the entirety of the known PC malware universe consisted of Brain, a MS-DOS based computer virus that spread via 5-1/4 inch floppy disks. Microsoft released MS-DOS 3.1, which introduced support for 3-1/2 inch floppy disks that held a whopping 720 kilobytes of storage (that's 0.7 megabytes, or 0.0007 gigabytes). Microsoft Windows 1.0 was the big OS news. Mobile phones were bulky novelties that - get this - made phone calls. The Internet as we know it was still years away; its precursor connected a few universities and a few military institutions.

A law written in this era is still a crucial definition of what is acceptable and what it unlawful. As you can imagine, CFAA is ambiguous when it comes to modern interconnected technologies, and leaves much to the interpretation of the courts. Technology researchers and companies have been pushing for an update, and the rash of major cyber incidents in the last 2 years has caught the attention of the White House.

There is a danger though that well-meaning legislators that don't understand what they are legislating could cause more harm than good. The initial proposals are just that - proposals - but they cover a couple of key areas. The two most concerning to researchers such as myself are the combination of lengthened prison terms for computer crimes (up to ten years), along with a subtle change in the language of what defines a computer crime.

Proposed changes to CFAA could make security research a crime punishable by ten years in prison

The current law defines a computer crime as an action that exceeds authorization and is taken with intent to defraud. The proposal defines such a crime as simply knowingly "trafficking" in any information that could be used to gain access to a protected computer. It is that language that truly worries researchers, because much of what we do could be defined as trafficking in "means of access."

It's not ignorance that is at fault here - it's those pesky shades of grey. I'll give a few examples.

About a year ago, I found that my wireless router was not updated to the latest available firmware, even though the update button said it was up-to-date. Being a curious soul, I set out to find out why. Eventually I discovered that my router relied on a file stored at the manufacturer's website, which listed the latest firmware version for every router model; that file had not been updated, so as far as my router knew, it had the latest version.

My research was completely aboveboard, with no malicious intent nor malicious use. In fact, that research led to an informal relationship with the product team at this manufacturer such that I've been able to beta test several new products and recommend changes to make them more secure upon public release. In fact, I have discovered a few more serious flaws, which the company fixed before I published my research. Under the proposed law though, I accessed the website in a manner that was not intended by the manufacturer, and thus exceeded the intended authorization. My blog posts describing the flaws could enable a malicious hacker to gain access to devices where the owner has not updated to the fixed firmware. My beneficial research - which has resulted in more secure routers used in hundreds of thousands of homes and small businesses - could have instead earned me a decade in a federal penitentiary.

Shades of grey.

Another example turns the tables. I use a variety of software and devices to protect my home network from viruses, malware, and attacks. A recent addition was an IDS, or intrusion detection system, using open-source Snort software on a Raspberry Pi running Kali Linux. I wrote some custom rules to detect undesired activity by looking at the responses OpenDNS gave to domain name queries. OpenDNS is like a smart phone book: for most websites it responds with the correct network address, but for known undesireable sites (whether they be malicious, or blocked by our family policy), it instead responds with the address of a page that says "you don't really want to go here."

Shortly after turning on the system, I noticed that my teenage son's laptop was frequently making DNS queries that triggered alerts - at a rate orders of magnitude more frequent that any other devices on the network. On investigating, almost all of these alerts were for requests for advertising domains. The culprit was two browser "helpers" that had been installed on his computer - one known as "Jollywallet" and the other as "LPT Monetizer." Both are programs that hook into a web browser and display advertisements, presumably to earn money for those controlling the ad network. More advertising impressions equal more revenue.

Why did my anti-virus program not detect and block these programs? Strictly speaking, they are not malware. They don't steal passwords or break into bank accounts. They don't delete files or destroy hard drives. They don't seek out other computers to infect, or databases to hack. Somewhere along the line, they probably came as a hidden "benefit" of a game or other program my son intentionally installed.

Shades of grey.

Oracle's Java installs undesired "extras" with every update

An even more egregious practice is taken by Oracle, the Fortune 100 corporation that owns Java software. Java is used on over 3 billion devices (according to Oracle's own marketing). It is a programming language often used for the user interface on websites, smart TVs, Blu-Ray players, and other connected devices. And every time it is updated, it suggests installing a piece of junkware called the "Search App by Ask" (once known as the Yahoo! toolbar). Unless you intentionally uncheck the box every time, you are installing this add-on. This is one of the largest companies in the world, exploiting its dominance to distribute undesireable software, all to make a few extra bucks.

Malware or not though, they are certainly a nuisance. And yet, there is nothing in the proposed CFAA updates that would clearly make these practices illegal.

Shades of grey.

Why write this? I have two reasons. The first is to educate my readers. Technology and the Internet are simply tools, neither good nor bad in and of themselves. Their "goodness" or "badness" is a matter of who wields them and for what purpose.

The second purpose is as a letter to those in Congress that will write laws regarding computer abuse and research. Security research is shrouded in shades of grey. Black and white laws with no room for interpretation, or no exemption for good-faith research and sharing, risk squashing an industry of good guys. The research we do - often on our own time with no expectation of being paid - results in better security for everyone. The bad guys will continue researching and exploiting vulnerabilities regardless of the law. My "hacker" peers and I just want to find and fix flaws first. Don't discourage us.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen